@vibe-agent-toolkit/cli 0.1.33 → 0.1.34

package/dist/commands/claude/plugin/plugin-validators.js

@@ -0,0 +1,59 @@
+/**
+ * Build-time validators for plugin declarations.
+ *
+ * - verifyPluginDirCaseMatch: guards against macOS/Windows case-insensitive FS drift
+ *   (plugin: "foo-bar" -> plugins/Foo-Bar/ locally would break on Linux CI).
+ * - verifyNoCaseCollidingPluginNames: rejects pairs whose toLowerCase() collides.
+ * - parsePluginJsonFiles: parse-only JSON validation of hooks.json + .mcp.json
+ *   (deep schema validation is Claude runtime's job).
+ */
+import { existsSync } from 'node:fs';
+import { readFile, readdir } from 'node:fs/promises';
+import { safePath } from '@vibe-agent-toolkit/utils';
+export async function verifyPluginDirCaseMatch(projectRoot, pluginName) {
+    const pluginsBase = safePath.join(projectRoot, 'plugins');
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- controlled path
+    if (!existsSync(pluginsBase))
+        return;
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- controlled path
+    const entries = await readdir(pluginsBase, { withFileTypes: true });
+    const matchInsensitive = entries.find((e) => e.isDirectory() && e.name.toLowerCase() === pluginName.toLowerCase());
+    if (matchInsensitive && matchInsensitive.name !== pluginName) {
+        throw new Error(`Plugin "${pluginName}" declared in config, but on-disk directory is "plugins/${matchInsensitive.name}/". ` +
+            `Names must match exactly (case-sensitive). This check catches macOS/Windows case-insensitive FS drift ` +
+            `that would break on Linux CI. Rename the directory or the config entry to match.`);
+    }
+}
+export function verifyNoCaseCollidingPluginNames(names) {
+    const seen = new Map();
+    for (const name of names) {
+        const key = name.toLowerCase();
+        const prior = seen.get(key);
+        if (prior === name) {
+            throw new Error(`Plugin name "${name}" is declared more than once across marketplaces. ` +
+                `Plugin names must be globally unique within a repo; rename one.`);
+        }
+        if (prior && prior !== name) {
+            throw new Error(`Plugin names "${prior}" and "${name}" differ only in case. ` +
+                `They would collide on case-insensitive filesystems; rename one.`);
+        }
+        seen.set(key, name);
+    }
+}
+async function parseJsonFileIfPresent(path, label) {
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- resolved path
+    if (!existsSync(path))
+        return;
+    try {
+        // eslint-disable-next-line security/detect-non-literal-fs-filename -- resolved path
+        JSON.parse(await readFile(path, 'utf-8'));
+    }
+    catch (e) {
+        throw new Error(`${label} is not valid JSON: ${e.message}`);
+    }
+}
+export async function parsePluginJsonFiles(pluginSourceDir) {
+    await parseJsonFileIfPresent(safePath.join(pluginSourceDir, 'hooks', 'hooks.json'), 'hooks/hooks.json');
+    await parseJsonFileIfPresent(safePath.join(pluginSourceDir, '.mcp.json'), '.mcp.json');
+}
+//# sourceMappingURL=plugin-validators.js.map

package/dist/commands/claude/plugin/plugin-validators.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin-validators.js","sourceRoot":"","sources":["../../../../src/commands/claude/plugin/plugin-validators.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAErD,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAErD,MAAM,CAAC,KAAK,UAAU,wBAAwB,CAC5C,WAAmB,EACnB,UAAkB;IAElB,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,CAAC;IAC1D,sFAAsF;IACtF,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO;IAErC,sFAAsF;IACtF,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,WAAW,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IACpE,MAAM,gBAAgB,GAAG,OAAO,CAAC,IAAI,CACnC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,UAAU,CAAC,WAAW,EAAE,CAC5E,CAAC;IACF,IAAI,gBAAgB,IAAI,gBAAgB,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC7D,MAAM,IAAI,KAAK,CACb,WAAW,UAAU,2DAA2D,gBAAgB,CAAC,IAAI,MAAM;YACzG,wGAAwG;YACxG,kFAAkF,CACrF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,MAAM,UAAU,gCAAgC,CAAC,KAAwB;IACvE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,GAAG,GAAG,IAAI,CAAC,WAAW,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YACnB,MAAM,IAAI,KAAK,CACb,gBAAgB,IAAI,oDAAoD;gBACtE,iEAAiE,CACpE,CAAC;QACJ,CAAC;QACD,IAAI,KAAK,IAAI,KAAK,KAAK,IAAI,EAAE,CAAC;YAC5B,MAAM,IAAI,KAAK,CACb,iBAAiB,KAAK,UAAU,IAAI,yBAAyB;gBAC3D,iEAAiE,CACpE,CAAC;QACJ,CAAC;QACD,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IACtB,CAAC;AACH,CAAC;AAED,KAAK,UAAU,sBAAsB,CAAC,IAAY,EAAE,KAAa;IAC/D,oFAAoF;IACpF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC;QAAE,OAAO;IAC9B,IAAI,CAAC;QACH,oFAAoF;QACpF,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC,CAAC;IAC5C,CAAC;IAAC,OAAO,CAAC,EAAE,CAAC;QACX,MAAM,IAAI,KAAK,CAAC,GAAG,KAAK,uBAAwB,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;IACzE,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,eAAuB;IAChE,MAAM,sBAAsB,CAC1B,QAAQ,CAAC,IAAI,CAAC,eAAe,EAAE,OAAO,EAAE,YAAY,CAAC,EACrD,kBAAkB,CACnB,CAAC;IACF,MAAM,sBAAsB,CAAC,QAAQ,CAAC,IAAI,CAAC,eAAe,EAAE,WAAW,CAAC,EAAE,WAAW,CAAC,CAAC;AACzF,CAAC"}

package/dist/commands/claude/plugin/tree-copy.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Tree-copy stream for plugin build.
+ *
+ * Copies everything under <sourceDir> to <destDir>, except:
+ *   - .claude-plugin/ (owned by plugin.json merge-write)
+ *
+ * Respects .gitignore via crawlDirectory (respectGitignore: true, the default).
+ * Returns counts keyed to the spec's YAML summary extension.
+ */
+export interface TreeCopyOptions {
+    sourceDir: string;
+    destDir: string;
+    warn?: (message: string) => void;
+}
+export interface TreeCopyResult {
+    commandsCopied: number;
+    hooksCopied: number;
+    agentsCopied: number;
+    mcpCopied: number;
+    filesCopied: number;
+}
+export declare function treeCopyPlugin(options: TreeCopyOptions): Promise<TreeCopyResult>;
+//# sourceMappingURL=tree-copy.d.ts.map

package/dist/commands/claude/plugin/tree-copy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"tree-copy.d.ts","sourceRoot":"","sources":["../../../../src/commands/claude/plugin/tree-copy.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAQH,MAAM,WAAW,eAAe;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,KAAK,IAAI,CAAC;CAClC;AAED,MAAM,WAAW,cAAc;IAC7B,cAAc,EAAE,MAAM,CAAC;IACvB,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;CACrB;AAYD,wBAAsB,cAAc,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,cAAc,CAAC,CAiDtF"}

package/dist/commands/claude/plugin/tree-copy.js

@@ -0,0 +1,68 @@
+/**
+ * Tree-copy stream for plugin build.
+ *
+ * Copies everything under <sourceDir> to <destDir>, except:
+ *   - .claude-plugin/ (owned by plugin.json merge-write)
+ *
+ * Respects .gitignore via crawlDirectory (respectGitignore: true, the default).
+ * Returns counts keyed to the spec's YAML summary extension.
+ */
+import { existsSync } from 'node:fs';
+import { copyFile, mkdir } from 'node:fs/promises';
+import { dirname } from 'node:path';
+import { crawlDirectory, safePath, toForwardSlash } from '@vibe-agent-toolkit/utils';
+const EXCLUDE_PATTERNS = ['.claude-plugin/**'];
+function classifyRelative(rel) {
+    if (rel.startsWith('commands/'))
+        return 'commandsCopied';
+    if (rel.startsWith('hooks/'))
+        return 'hooksCopied';
+    if (rel.startsWith('agents/'))
+        return 'agentsCopied';
+    if (rel === '.mcp.json')
+        return 'mcpCopied';
+    return undefined;
+}
+export async function treeCopyPlugin(options) {
+    const { sourceDir, destDir, warn } = options;
+    const result = {
+        commandsCopied: 0,
+        hooksCopied: 0,
+        agentsCopied: 0,
+        mcpCopied: 0,
+        filesCopied: 0,
+    };
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- sourceDir resolved from config
+    if (!existsSync(sourceDir)) {
+        return result;
+    }
+    const authorMarketplaceJson = safePath.join(sourceDir, '.claude-plugin', 'marketplace.json');
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- controlled path
+    if (existsSync(authorMarketplaceJson) && warn) {
+        warn(`Ignoring ${toForwardSlash(authorMarketplaceJson)}: marketplace.json is VAT-generated ` +
+            `at the marketplace level and cannot be supplied per-plugin.`);
+    }
+    const files = await crawlDirectory({
+        baseDir: sourceDir,
+        include: ['**/*'],
+        exclude: EXCLUDE_PATTERNS,
+        absolute: true,
+        filesOnly: true,
+        respectGitignore: true,
+        dot: true,
+    });
+    for (const absPath of files) {
+        const rel = toForwardSlash(safePath.relative(sourceDir, absPath));
+        const target = safePath.join(destDir, rel);
+        // eslint-disable-next-line security/detect-non-literal-fs-filename -- dest resolved from sourceDir+relative
+        await mkdir(dirname(target), { recursive: true });
+        await copyFile(absPath, target);
+        result.filesCopied += 1;
+        const bucket = classifyRelative(rel);
+        if (bucket) {
+            result[bucket] += 1;
+        }
+    }
+    return result;
+}
+//# sourceMappingURL=tree-copy.js.map

package/dist/commands/claude/plugin/tree-copy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"tree-copy.js","sourceRoot":"","sources":["../../../../src/commands/claude/plugin/tree-copy.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,cAAc,EAAE,QAAQ,EAAE,cAAc,EAAE,MAAM,2BAA2B,CAAC;AAgBrF,MAAM,gBAAgB,GAAG,CAAC,mBAAmB,CAAC,CAAC;AAE/C,SAAS,gBAAgB,CAAC,GAAW;IACnC,IAAI,GAAG,CAAC,UAAU,CAAC,WAAW,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACzD,IAAI,GAAG,CAAC,UAAU,CAAC,QAAQ,CAAC;QAAE,OAAO,aAAa,CAAC;IACnD,IAAI,GAAG,CAAC,UAAU,CAAC,SAAS,CAAC;QAAE,OAAO,cAAc,CAAC;IACrD,IAAI,GAAG,KAAK,WAAW;QAAE,OAAO,WAAW,CAAC;IAC5C,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAAwB;IAC3D,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC;IAC7C,MAAM,MAAM,GAAmB;QAC7B,cAAc,EAAE,CAAC;QACjB,WAAW,EAAE,CAAC;QACd,YAAY,EAAE,CAAC;QACf,SAAS,EAAE,CAAC;QACZ,WAAW,EAAE,CAAC;KACf,CAAC;IAEF,qGAAqG;IACrG,IAAI,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAC3B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,MAAM,qBAAqB,GAAG,QAAQ,CAAC,IAAI,CAAC,SAAS,EAAE,gBAAgB,EAAE,kBAAkB,CAAC,CAAC;IAC7F,sFAAsF;IACtF,IAAI,UAAU,CAAC,qBAAqB,CAAC,IAAI,IAAI,EAAE,CAAC;QAC9C,IAAI,CACF,YAAY,cAAc,CAAC,qBAAqB,CAAC,sCAAsC;YACrF,6DAA6D,CAChE,CAAC;IACJ,CAAC;IAED,MAAM,KAAK,GAAG,MAAM,cAAc,CAAC;QACjC,OAAO,EAAE,SAAS;QAClB,OAAO,EAAE,CAAC,MAAM,CAAC;QACjB,OAAO,EAAE,gBAAgB;QACzB,QAAQ,EAAE,IAAI;QACd,SAAS,EAAE,IAAI;QACf,gBAAgB,EAAE,IAAI;QACtB,GAAG,EAAE,IAAI;KACV,CAAC,CAAC;IAEH,KAAK,MAAM,OAAO,IAAI,KAAK,EAAE,CAAC;QAC5B,MAAM,GAAG,GAAG,cAAc,CAAC,QAAQ,CAAC,QAAQ,CAAC,SAAS,EAAE,OAAO,CAAC,CAAC,CAAC;QAClE,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;QAC3C,4GAA4G;QAC5G,MAAM,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;QAClD,MAAM,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChC,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC;QAExB,MAAM,MAAM,GAAG,gBAAgB,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,MAAM,EAAE,CAAC;YACX,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;QACtB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/commands/corpus/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Corpus command group — Phase 1 ships only `scan`.
+ */
+import { Command } from 'commander';
+export declare function createCorpusCommand(): Command;
+//# sourceMappingURL=index.d.ts.map

package/dist/commands/corpus/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/commands/corpus/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,wBAAgB,mBAAmB,IAAI,OAAO,CAoD7C"}

package/dist/commands/corpus/index.js

@@ -0,0 +1,53 @@
+/**
+ * Corpus command group — Phase 1 ships only `scan`.
+ */
+import { Command } from 'commander';
+import { corpusScanCommand } from './scan.js';
+export function createCorpusCommand() {
+    const corpus = new Command('corpus');
+    corpus
+        .description('Run vat audit (and optionally vat skill review) at scale across a tracked plugin seed')
+        .helpCommand(false);
+    corpus
+        .command('scan [seed-file]')
+        .description('Audit each plugin in the seed; write a per-run snapshot under --out')
+        .argument('[seed-file]', 'Path to seed YAML (default: corpus/seed.yaml)')
+        .requiredOption('--out <dir>', 'Output directory for the run snapshot (no default — must be specified)')
+        .option('--with-review', 'Also invoke vat skill review per plugin (LLM-backed; uses API tokens)')
+        .option('--debug', 'Enable debug logging and preserve cloned tempdirs')
+        .action(async function (seedFile) {
+        await corpusScanCommand(seedFile, this.optsWithGlobals());
+    })
+        .addHelpText('after', `
+Description:
+  Reads a seed YAML listing plugins to audit (each entry: { source, name,
+  validation? }), runs 'vat audit' against each (and optionally 'vat skill
+  review' with --with-review), writes summary.yaml plus per-plugin sibling
+  files into a date-sha subdirectory of --out.
+
+  source forms accepted (same as vat audit):
+    - local path (absolute or relative)
+    - https://host/owner/repo.git[#ref[:subpath]]
+    - GitHub web URL (https://github.com/owner/repo/tree/<ref>/<subpath>)
+    - GitHub shorthand (owner/repo, with optional #ref:subpath)
+    - SSH URL (git@host:owner/repo.git or ssh://...)
+    - file:// URL (local bare-repo testing)
+
+Output:
+  <--out>/<UTC-date>-<vat-short-sha>/
+    summary.yaml          # index: per-plugin status + totals
+    <name>-audit.yaml     # full audit output per plugin
+    <name>-review.md      # full skill-review output (only with --with-review)
+
+Exit codes:
+  0  - scan completed (regardless of unloadable plugins)
+  2  - scan failed to start (seed missing, --out missing, etc.)
+  130 - interrupted by SIGINT (partial results written)
+
+Example:
+  $ vat corpus scan --out ~/scratch/vat-corpus-runs
+  $ vat corpus scan corpus/seed.yaml --out ~/scratch/vat-corpus-runs --with-review
+`);
+    return corpus;
+}
+//# sourceMappingURL=index.js.map

package/dist/commands/corpus/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/commands/corpus/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAAE,iBAAiB,EAA0B,MAAM,WAAW,CAAC;AAEtE,MAAM,UAAU,mBAAmB;IACjC,MAAM,MAAM,GAAG,IAAI,OAAO,CAAC,QAAQ,CAAC,CAAC;IAErC,MAAM;SACH,WAAW,CAAC,uFAAuF,CAAC;SACpG,WAAW,CAAC,KAAK,CAAC,CAAC;IAEtB,MAAM;SACH,OAAO,CAAC,kBAAkB,CAAC;SAC3B,WAAW,CAAC,qEAAqE,CAAC;SAClF,QAAQ,CAAC,aAAa,EAAE,+CAA+C,CAAC;SACxE,cAAc,CAAC,aAAa,EAAE,wEAAwE,CAAC;SACvG,MAAM,CAAC,eAAe,EAAE,uEAAuE,CAAC;SAChG,MAAM,CAAC,SAAS,EAAE,mDAAmD,CAAC;SACtE,MAAM,CAAC,KAAK,WAA0B,QAA4B;QACjE,MAAM,iBAAiB,CAAC,QAAQ,EAAE,IAAI,CAAC,eAAe,EAAuB,CAAC,CAAC;IACjF,CAAC,CAAC;SACD,WAAW,CACV,OAAO,EACP;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA6BL,CACI,CAAC;IAEJ,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/commands/corpus/report.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Run-summary types + writer for `vat corpus scan`.
+ *
+ * `summary.yaml` is the index for one scan run. Per-plugin full audit
+ * outputs and full skill-review outputs are written as sibling files
+ * referenced by relative `output_path`. Totals are derived from the
+ * per-plugin rows so callers can pass raw rows and let this module
+ * compute aggregates.
+ */
+export type AuditStatus = 'success' | 'warning' | 'error' | 'unloadable';
+export type ReviewStatus = 'ok' | 'error' | 'skipped';
+export interface AuditSummary {
+    errors: number;
+    warnings: number;
+    info: number;
+    files_scanned: number;
+}
+export interface AuditOutcome {
+    status: AuditStatus;
+    duration_ms: number;
+    summary?: AuditSummary;
+    findings_emitted?: number;
+    output_path?: string;
+    error?: string;
+}
+export interface ReviewOutcome {
+    status: ReviewStatus;
+    duration_ms: number;
+    output_path?: string;
+    error?: string;
+}
+export interface PluginRow {
+    source: string;
+    name: string;
+    validation_applied: boolean;
+    audit: AuditOutcome;
+    review: ReviewOutcome;
+}
+export interface RunReport {
+    schema_version: 1;
+    generated_at: string;
+    vat_version: string;
+    vat_commit: string;
+    seed_file: string;
+    flags: {
+        with_review: boolean;
+        debug: boolean;
+    };
+    plugins: PluginRow[];
+}
+export interface RunTotals {
+    plugins: number;
+    audit_clean: number;
+    audit_warning: number;
+    audit_error: number;
+    unloadable: number;
+    reviewed?: number;
+}
+/**
+ * Compute totals over the per-plugin rows.
+ */
+export declare function computeTotals(report: RunReport): RunTotals;
+/**
+ * Build the run directory name: `<YYYY-MM-DD>-<vat-short-sha>`.
+ * Date is the UTC date of `generated_at`.
+ */
+export declare function runDirectoryName(report: RunReport): string;
+/**
+ * Write `summary.yaml` (and create the run directory) under `outDir`.
+ * Returns the absolute path of the created run directory. Per-plugin
+ * sibling files (audit outputs, review outputs) are written by the
+ * runner — this function only writes the summary index.
+ */
+export declare function writeRunReport(report: RunReport, outDir: string): Promise<string>;
+//# sourceMappingURL=report.d.ts.map

package/dist/commands/corpus/report.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.d.ts","sourceRoot":"","sources":["../../../src/commands/corpus/report.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAOH,MAAM,MAAM,WAAW,GAAG,SAAS,GAAG,SAAS,GAAG,OAAO,GAAG,YAAY,CAAC;AACzE,MAAM,MAAM,YAAY,GAAG,IAAI,GAAG,OAAO,GAAG,SAAS,CAAC;AAEtD,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,aAAa,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE,WAAW,CAAC;IACpB,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,YAAY,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,MAAM,WAAW,SAAS;IACxB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,kBAAkB,EAAE,OAAO,CAAC;IAC5B,KAAK,EAAE,YAAY,CAAC;IACpB,MAAM,EAAE,aAAa,CAAC;CACvB;AAED,MAAM,WAAW,SAAS;IACxB,cAAc,EAAE,CAAC,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,SAAS,EAAE,MAAM,CAAC;IAClB,KAAK,EAAE;QAAE,WAAW,EAAE,OAAO,CAAC;QAAC,KAAK,EAAE,OAAO,CAAA;KAAE,CAAC;IAChD,OAAO,EAAE,SAAS,EAAE,CAAC;CACtB;AAED,MAAM,WAAW,SAAS;IACxB,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;GAEG;AACH,wBAAgB,aAAa,CAAC,MAAM,EAAE,SAAS,GAAG,SAAS,CAmC1D;AAED;;;GAGG;AACH,wBAAgB,gBAAgB,CAAC,MAAM,EAAE,SAAS,GAAG,MAAM,CAG1D;AAED;;;;;GAKG;AACH,wBAAsB,cAAc,CAAC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAsBvF"}

package/dist/commands/corpus/report.js

@@ -0,0 +1,83 @@
+/**
+ * Run-summary types + writer for `vat corpus scan`.
+ *
+ * `summary.yaml` is the index for one scan run. Per-plugin full audit
+ * outputs and full skill-review outputs are written as sibling files
+ * referenced by relative `output_path`. Totals are derived from the
+ * per-plugin rows so callers can pass raw rows and let this module
+ * compute aggregates.
+ */
+import { mkdirSync, writeFileSync } from 'node:fs';
+import { safePath } from '@vibe-agent-toolkit/utils';
+import * as yaml from 'js-yaml';
+/**
+ * Compute totals over the per-plugin rows.
+ */
+export function computeTotals(report) {
+    const totals = {
+        plugins: report.plugins.length,
+        audit_clean: 0,
+        audit_warning: 0,
+        audit_error: 0,
+        unloadable: 0,
+    };
+    for (const row of report.plugins) {
+        switch (row.audit.status) {
+            case 'success': {
+                totals.audit_clean += 1;
+                break;
+            }
+            case 'warning': {
+                totals.audit_warning += 1;
+                break;
+            }
+            case 'error': {
+                totals.audit_error += 1;
+                break;
+            }
+            case 'unloadable': {
+                totals.unloadable += 1;
+                break;
+            }
+        }
+    }
+    if (report.flags.with_review) {
+        totals.reviewed = report.plugins.filter((p) => p.review.status !== 'skipped').length;
+    }
+    return totals;
+}
+/**
+ * Build the run directory name: `<YYYY-MM-DD>-<vat-short-sha>`.
+ * Date is the UTC date of `generated_at`.
+ */
+export function runDirectoryName(report) {
+    const datePart = report.generated_at.slice(0, 10); // 'YYYY-MM-DD'
+    return `${datePart}-${report.vat_commit}`;
+}
+/**
+ * Write `summary.yaml` (and create the run directory) under `outDir`.
+ * Returns the absolute path of the created run directory. Per-plugin
+ * sibling files (audit outputs, review outputs) are written by the
+ * runner — this function only writes the summary index.
+ */
+export async function writeRunReport(report, outDir) {
+    const runDir = safePath.join(outDir, runDirectoryName(report));
+    // eslint-disable-next-line local/no-fs-mkdirSync, security/detect-non-literal-fs-filename -- the corpus output dir is caller-supplied; mkdir-recursive is the right call here
+    mkdirSync(runDir, { recursive: true });
+    const totals = computeTotals(report);
+    const dump = {
+        schema_version: report.schema_version,
+        generated_at: report.generated_at,
+        vat_version: report.vat_version,
+        vat_commit: report.vat_commit,
+        seed_file: report.seed_file,
+        flags: report.flags,
+        plugins: report.plugins,
+        totals,
+    };
+    const summaryPath = safePath.join(runDir, 'summary.yaml');
+    // eslint-disable-next-line security/detect-non-literal-fs-filename -- summaryPath composed under our run dir
+    writeFileSync(summaryPath, yaml.dump(dump, { lineWidth: -1 }), 'utf-8');
+    return runDir;
+}
+//# sourceMappingURL=report.js.map

package/dist/commands/corpus/report.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"report.js","sourceRoot":"","sources":["../../../src/commands/corpus/report.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAE,SAAS,EAAE,aAAa,EAAE,MAAM,SAAS,CAAC;AAEnD,OAAO,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AACrD,OAAO,KAAK,IAAI,MAAM,SAAS,CAAC;AAuDhC;;GAEG;AACH,MAAM,UAAU,aAAa,CAAC,MAAiB;IAC7C,MAAM,MAAM,GAAc;QACxB,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;QAC9B,WAAW,EAAE,CAAC;QACd,aAAa,EAAE,CAAC;QAChB,WAAW,EAAE,CAAC;QACd,UAAU,EAAE,CAAC;KACd,CAAC;IAEF,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACjC,QAAQ,GAAG,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC;YACzB,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC;gBACxB,MAAM;YACR,CAAC;YACD,KAAK,SAAS,CAAC,CAAC,CAAC;gBACf,MAAM,CAAC,aAAa,IAAI,CAAC,CAAC;gBAC1B,MAAM;YACR,CAAC;YACD,KAAK,OAAO,CAAC,CAAC,CAAC;gBACb,MAAM,CAAC,WAAW,IAAI,CAAC,CAAC;gBACxB,MAAM;YACR,CAAC;YACD,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,MAAM,CAAC,UAAU,IAAI,CAAC,CAAC;gBACvB,MAAM;YACR,CAAC;QACH,CAAC;IACH,CAAC;IAED,IAAI,MAAM,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;IACvF,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,gBAAgB,CAAC,MAAiB;IAChD,MAAM,QAAQ,GAAG,MAAM,CAAC,YAAY,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,eAAe;IAClE,OAAO,GAAG,QAAQ,IAAI,MAAM,CAAC,UAAU,EAAE,CAAC;AAC5C,CAAC;AAED;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,MAAiB,EAAE,MAAc;IACpE,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,gBAAgB,CAAC,MAAM,CAAC,CAAC,CAAC;IAC/D,8KAA8K;IAC9K,SAAS,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IAEvC,MAAM,MAAM,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,IAAI,GAAG;QACX,cAAc,EAAE,MAAM,CAAC,cAAc;QACrC,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,UAAU,EAAE,MAAM,CAAC,UAAU;QAC7B,SAAS,EAAE,MAAM,CAAC,SAAS;QAC3B,KAAK,EAAE,MAAM,CAAC,KAAK;QACnB,OAAO,EAAE,MAAM,CAAC,OAAO;QACvB,MAAM;KACP,CAAC;IAEF,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;IAC1D,6GAA6G;IAC7G,aAAa,CAAC,WAAW,EAAE,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,OAAO,CAAC,CAAC;IAExE,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/commands/corpus/runner.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Per-plugin orchestrator for `vat corpus scan`.
+ *
+ * Phase 1 scope: resolve source (local or URL), optionally overlay a
+ * synthetic `vibe-agent-toolkit.config.yaml` from the entry's `validation:`
+ * block, run `vat audit` in-process, optionally invoke `vat skill review`,
+ * write per-plugin sibling files into the run directory, and return a
+ * PluginRow. Per-plugin failures never abort the loop.
+ *
+ * URL handling clones via Layer 1's `withClonedRepo` helper. Validation
+ * overlay (Task 5) is added on top of this base.
+ */
+import type { PluginRow } from './report.js';
+import type { PluginEntry } from './seed.js';
+export interface RunnerOptions {
+    runDir: string;
+    withReview: boolean;
+    debug: boolean;
+}
+/**
+ * Run audit + optional review against one plugin entry.
+ */
+export declare function auditOnePlugin(entry: PluginEntry, opts: RunnerOptions): Promise<PluginRow>;
+//# sourceMappingURL=runner.d.ts.map

package/dist/commands/corpus/runner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"runner.d.ts","sourceRoot":"","sources":["../../../src/commands/corpus/runner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAgBH,OAAO,KAAK,EAA2C,SAAS,EAAiB,MAAM,aAAa,CAAC;AACrG,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,WAAW,CAAC;AAqB7C,MAAM,WAAW,aAAa;IAC5B,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,OAAO,CAAC;IACpB,KAAK,EAAE,OAAO,CAAC;CAChB;AA0BD;;GAEG;AACH,wBAAsB,cAAc,CAClC,KAAK,EAAE,WAAW,EAClB,IAAI,EAAE,aAAa,GAClB,OAAO,CAAC,SAAS,CAAC,CAKpB"}